Feeds

NSA coughs to 1000s of unlawful acts of snooping on US soil since 2008

Oversight judge admits: 'I've no idea what the true figure is'

Secure remote control for conventional and virtual desktops

The NSA violated privacy laws thousands of times in the last five years by spying on US citizens, an internal audit by the super-snoopers has disclosed.

The Washington Post reports that the intelligence agency also overstepped its legal remit since Congress gave it broad powers in 2008.

Most of the violations involved unauthorised surveillance of Americans and foreigners in the US. Problems arose thanks to clumsy operator mistakes, insufficient or inaccurate research, failures to follow the correct procedures and even typos.

Meanwhile, system errors led to further problems, such as failures to recognise foreign phone users who roamed onto US soil but whose data was hoovered up anyway.

An NSA internal audit, leaked to the Washington Post by former NSA contractor turned whistleblower Edward Snowden, logs 2,776 incidents of "unauthorized collection, storage, access to or distribution of legally protected communications" in the year to May 2012.

Most were accidental mishaps where procedures were not followed correctly, but some involved violations of a court order - such as a February 2012 incident involving the unauthorised retention of 3,000 files that a surveillance court had ordered the NSA to destroy.

Violations include unauthorised access to intercepted communications and the use of automated systems without built-in safeguards to prevent unlawful surveillance.

NSA 'marking its own homework'

The audit only covers figures from the NSA's Maryland headquarters and Washington DC offices and not those from its regional collection centres.

In some cases, the NSA decided that it didn't need to report the unintended surveillance of US residents and citizens. One glaring example of unreported dragnet overreach occurred in 2008 when a programming error resulted in the interception of a large number of calls made in the Washington DC area: buggy software confused the US telephone area code 202 with intentional calls made to Egypt (country code +20).

In another case the Foreign Intelligence Surveillance Court was not told about a data collection programme run by the NSA until months after it was up and running. The court eventually ruled in October 2011 that hoovering up international communications passing through fibre-optic cables in the United States, was unconstitutional because Americans' emails and other net traffic was collected. The agency was ordered to drop the collection programme within 30 days unless it figured out a way to filter out US citizens' traffic.

Evading official scrutiny

Another leaked document instructs NSA analysts about how to explain their targeting decisions without giving "extraneous information" to overseers in the Department of Justice, Congress or the special court that scrutinises surveillance. NSA personnel are "instructed to remove details and substitute more generic language in reports to the Justice Department and the Office of the Director of National Intelligence", the Post reports.

This relates to an internal NSA document [PDF] that offers rationales for targeting and provides examples of the kinds of people the NSA may spy on - and that's besides amassing 1.6 per cent of the world's net communications. The document makes for an interesting read.

Other training files explain that analysts do not need to report "incidental" collection of data from US citizens, green-card holders or companies to the NSA Inspector General because (in the opinion of the NSA) it is not deemed a violation of the rules.

Signals intelligence spooks are allowed to use anonymised sets of data routinely, and with supervisory permission they may unmask the identities of US persons in reports to the agency's clients, such as the CIA and US military, among others.

FISA judge: We can't investigate non-compliance

In response to the Post's revelations about its violation of privacy rules, the NSA said it attempts to identify problems "at the earliest possible moment, implement mitigation measures wherever possible, and drive the numbers down".

“We’re a human-run agency operating in a complex environment with a number of different regulatory regimes, so at times we find ourselves on the wrong side of the line,” a senior NSA official told the Post in an interview.

The chief judge of the secret court tasked with overseeing the NSA's dragnet surveillance said his court's powers of scrutiny are limited because it is reliant on government reports of improper spying. There is no independent verification, the Post reports.

"The FISC is forced to rely upon the accuracy of the information that is provided to the Court," its chief, U.S. District Judge Reggie B. Walton, said in a written statement to The Washington Post. "The FISC does not have the capacity to investigate issues of non-compliance, and in that respect the FISC is in the same position as any other court when it comes to enforcing [government] compliance with its orders."

The judge's frank admission pulls the rug out from under repeated assurances from President Obama and his officials that the secret intelligence court provides robust oversight of government surveillance. ®

Beginner's guide to SSL certificates

More from The Register

next story
MI6 oversight report on Lee Rigby murder: US web giants offer 'safe haven for TERRORISM'
PM urged to 'prioritise issue' after Facebook hindsight find
Assange™ slumps back on Ecuador's sofa after detention appeal binned
Swedish court rules there's 'great risk' WikiLeaker will dodge prosecution
NSA mass spying reform KILLED by US Senators
Democrats needed just TWO more votes to keep alive bill reining in some surveillance
'Internet Freedom Panel' to keep web overlord ICANN out of Russian hands – new proposal
Come back with our internet! cries Republican drawing up bill
prev story

Whitepapers

Seattle children’s accelerates Citrix login times by 500% with cross-tier insight
Seattle Children’s is a leading research hospital with a large and growing Citrix XenDesktop deployment. See how they used ExtraHop to accelerate launch times.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.